Eskenazi Health patient sues after cyberattack data breach, asks for class action status

Eskenazi Health is facing legal action three months after disclosing that “bad actors” had obtained data during a cyberattack.

A patient, Terri Ruehl Young, filed suit in Indiana Commercial Court in Marion County on Friday against the Indianapolis-based public hospital and health care provider.

In her complaint, Young said she discovered a fraudulent charge of $370 on the credit card she used to pay Eskenazi. She said she also discovered an unauthorized attempt to change her name on her Equifax report.

“In addition to the out-of-pocket expenses plaintiff has incurred relating to the reasonable mitigation efforts that she has employed, plaintiff has also expended time and effort in order to mitigate the harm she has suffered on account of the data breach,” the complaint said.

Young is seeking class-action status on behalf of “all citizens of Indiana whose personal information was compromised in Eskenazi’s data breach.

An Eskenazi spokesman did not comment on the complaint, saying the health system had not yet been formally served with the lawsuit.

In early August, Eskenazi Health shut down its data network and diverted ambulances, following what it called an “attempted ransomware attack.” The safety-net health system, which operates Eskenazi Hospital west of downtown, said Thursday that no patient or employee data was compromised.

Three weeks later, Eskenazi Health warned its employees, providers, patients and vendors to closely monitor bank and credit card statements for suspicious activity.

The health system said some data “was obtained by bad actors” during the attack and released online.

The health system said its IT systems functioned properly, but it shut down the network to “maintain the safety and integrity of our patient care.”

It said there was no evidence of bank or credit card fraud, but it said “employees, providers, patients, former patients and vendors should closely monitor bank and credit card statements, as well as other personal information, and report any suspicious activity to authorities and financial institutions.”

It encouraged anybody possibly affected to obtain a free credit report from Equifax, Experian and TransUnion.

The lawsuit said that on or about Nov. 11, Eskenazi notified more than 1.5 million current and former patients, employees, and providers that “sophisticated cybercriminals” had gained access to its networks in May.

It said the compromised information included patients’, employees’, and providers’ names, dates of birth, age, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnoses, clinical information, physicians’ names, insurance information, prescriptions, driver’s license numbers, passport numbers, face photos, Social Security numbers, and credit card information.

It said victims did not start receiving letters notifying them of the data breach or detailing which specific types of their personal information was compromised until six months after the breach and more than three months after Eskenazi discovered it.

The complaint said that patients, employees and others trusted Eskenazi with their sensitive, personal information.

“But Eskenazi betrayed that trust,” the suit said. “Eskenazi failed to properly use up-to-date security practices to prevent the data breach, and when the data breach was discovered, (Eskenazi) failed to promptly notify victims of the data breach of the types of information that was stolen.”

The complaint accuses Eskenazi of breach of contract and unjust enrichment, and asks for a jury trial. The suit was filed by Indianapolis law firms Cohen and Malad and John Steinkamp & Associates.